By: Vimal Gupta, AWS Database and Infrastructure Manager
In many companies, users have launched instances with roles and now these instances are in production. These roles were created with full access e.g. administrator access. Historically, you cannot detach the role from an instance profile once it is in use. It is too great a burden on infrastructure engineers to maintain too many roles. Policing around and checking each role for what scope they are being used for in the corporate infrastructure landscape can be very time-consuming. Engineers often have to write complex scripts to go all around the AWS accounts and produce reports that go over the individual roles and clean them up along with policies. They can do everything except detach the role from an instance until this new feature was released recently.
With the newly provisioned ability to detach and attach an IAM role from/to an existing instance makes our job much simpler. DevOps Engineers can consolidate the roles and attach policies that meet corporate mandates and replace old non-compliance roles with the new role. They should also detach the instance profiles from the old roles that are not meant for the existing/new instances. This is a necessary step to prevent roles that we do not want users to attach with their instances from being available to attach while launching new instances via the dashboard, CF or CLI. To have better control over instances specific roles, policies can include “deny” of creating new instance profiles, which will enforce/allow using pre-built roles (instance profile already exists) that are built to your corporate compliance standards. Now you have fewer roles to have better control.
All this has become simpler since new IAM role feature is available. Otherwise, you have to deal with the creation of a snapshot of the instances, notify user community, stop the instances, create new ones, join the domain, maintain IP, maintain FQDN, longer downtime, put them behind the ELB, etc.